The value of what we call Continuous Security Testing reflects the benefits of Agile development and DevSecOps, integrating and automating testing processes and related security measures from the very beginning of the development cycle. Testing early and testing often results in better protection, quicker times to market and reduced costs.
While a traditional penetration test is a snapshot-in-time assessment, Continuous Security Testing integrates with the development process. This allows the identification of vulnerabilities, and therefore remediation and retesting, to happen throughout the development process – rather than applying costly post-development patches. Continuous Security Testing takes place at the end of each Agile ‘sprint’, as soon as functional code is available. This allows any identified issues to be added to the backlog and prioritised for fixing in the following sprints, before the cycle continues. This method is particularly useful for applications developed in short iteration cycles and adds a pace to security improvements that traditional approaches can’t match.
Continuous Security Testing is efficient at finding most of the vulnerabilities that a penetration test would, including (but not limited to) injection attacks, session-related issues and business logic flaws. While these are the same as we find in other types of engagements, being able to implement fixes near the point of creation removes the need for separate teams having to unpick stale code to apply fixes at a later date. Working with the same team also helps to get a more in-depth understanding of the application, development process and the business decisions behind the system’s design. Together these mean that the test team can target testing to the needs and concerns of customers. Embedding the test team with the development team also breaks down the traditional barriers between developers and security testers, helps upskill developers and thus over time increases the quality of code at its inception.
When working with a team in this way, reporting can be done directly into a team’s bug tracking software. This allows developers to gain immediate, easy-to-digest visibility so that the team can prioritise accordingly. From a tester’s perspective, you can find an issue, inform the development team and have it fixed and re-tested within the hour!
Automated vulnerability scanning tools can also be used to provide frequent assurance on code as it is developed. However, they struggle to find business logic-based issues and without suitably skilled installation, configuration and maintenance they are prone to false positives. Although automation can support a team’s security aims, Continuous Security Testing follows a manual methodology and will always provide greater depth, and only highlight proven vulnerabilities.
Compromising security in the rush to market is no longer an option. Security by design is now the mantra for the technology industry. But this has to go hand in hand with early and continuous security testing. This is the only way to ensure the integrity of a new application, product or system through its entire lifecycle – achieved by harnessing the best manual skills and automated tools to achieve security at pace.